Software Engineering Institute | Carnegie Mellon©
CERT NetSA Security Suite
Monitoring for Large-Scale Networks

YAF

Documentation

YAF

  • Documentation
  • Downloads
  • Main Page
  • Data Structures
  • Files
  • File List
  • Globals

yaftab.h

Go to the documentation of this file.
00001 /*
00002  ** yaftab.h
00003  ** YAF Active Flow Table
00004  **
00005  ** ------------------------------------------------------------------------
00006  ** Copyright (C) 2006-2012 Carnegie Mellon University. All Rights Reserved.
00007  ** ------------------------------------------------------------------------
00008  ** Authors: Brian Trammell
00009  ** ------------------------------------------------------------------------
00010  ** @OPENSOURCE_HEADER_START@
00011  ** Use of the YAF system and related source code is subject to the terms
00012  ** of the following licenses:
00013  **
00014  ** GNU Public License (GPL) Rights pursuant to Version 2, June 1991
00015  ** Government Purpose License Rights (GPLR) pursuant to DFARS 252.227.7013
00016  **
00017  ** NO WARRANTY
00018  **
00019  ** ANY INFORMATION, MATERIALS, SERVICES, INTELLECTUAL PROPERTY OR OTHER
00020  ** PROPERTY OR RIGHTS GRANTED OR PROVIDED BY CARNEGIE MELLON UNIVERSITY
00021  ** PURSUANT TO THIS LICENSE (HEREINAFTER THE "DELIVERABLES") ARE ON AN
00022  ** "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
00023  ** KIND, EITHER EXPRESS OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT
00024  ** LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE,
00025  ** MERCHANTABILITY, INFORMATIONAL CONTENT, NONINFRINGEMENT, OR ERROR-FREE
00026  ** OPERATION. CARNEGIE MELLON UNIVERSITY SHALL NOT BE LIABLE FOR INDIRECT,
00027  ** SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS OR INABILITY
00028  ** TO USE SAID INTELLECTUAL PROPERTY, UNDER THIS LICENSE, REGARDLESS OF
00029  ** WHETHER SUCH PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES.
00030  ** LICENSEE AGREES THAT IT WILL NOT MAKE ANY WARRANTY ON BEHALF OF
00031  ** CARNEGIE MELLON UNIVERSITY, EXPRESS OR IMPLIED, TO ANY PERSON
00032  ** CONCERNING THE APPLICATION OF OR THE RESULTS TO BE OBTAINED WITH THE
00033  ** DELIVERABLES UNDER THIS LICENSE.
00034  **
00035  ** Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie
00036  ** Mellon University, its trustees, officers, employees, and agents from
00037  ** all claims or demands made against them (and any related losses,
00038  ** expenses, or attorney's fees) arising out of, or relating to Licensee's
00039  ** and/or its sub licensees' negligent use or willful misuse of or
00040  ** negligent conduct or willful misconduct regarding the Software,
00041  ** facilities, or other rights or assistance granted by Carnegie Mellon
00042  ** University under this License, including, but not limited to, any
00043  ** claims of product liability, personal injury, death, damage to
00044  ** property, or violation of any laws or regulations.
00045  **
00046  ** Carnegie Mellon University Software Engineering Institute authored
00047  ** documents are sponsored by the U.S. Department of Defense under
00048  ** Contract FA8721-05-C-0003. Carnegie Mellon University retains
00049  ** copyrights in all material produced under this contract. The U.S.
00050  ** Government retains a non-exclusive, royalty-free license to publish or
00051  ** reproduce these documents, or allow others to do so, for U.S.
00052  ** Government purposes only pursuant to the copyright license under the
00053  ** contract clause at 252.227.7013.
00054  **
00055  ** @OPENSOURCE_HEADER_END@
00056  ** ------------------------------------------------------------------------
00057  */
00058 
00059 /*
00060  * This is the documentation for the _old_ yaftab.h; it is no longer current,
00061  * and should not be read by anyone.
00062  *
00063  * Flow generation interface for YAF. This facility works by maintaining a
00064  * current flow table. Packets may be added to the active flows within this
00065  * table using the yfFlowPkt() call. Completed flows may be written to an
00066  * IPFIX message buffer using yfFlowFlush().
00067  *
00068  * The flow table is configured by a number of global variables.
00069  *
00070  * <tt>yaf_idle</tt> sets
00071  * the idle timeout in seconds. A flow that receives no packets for the idle
00072  * timeout is assumed to be complete. The idle timeout is set to 300 seconds
00073  * (five minutes) by default.
00074  *
00075  * <tt>yaf_active</tt> sets the active timeout in seconds.
00076  * The maximum duration of a flow is the active timeout; additional packets
00077  * for the same flow will be counted as part of a new flow. The active timeout
00078  * is set to 1800 seconds (half an hour) by default.
00079  *
00080  * <tt>yaf_flowlim</tt> sets the maximum size of the flow table; flows exceeding
00081  * this limit will be expired in least-recent order, as if they were idle. The
00082  * flow limit defaults to zero, for no limit. Use this global to limit resource
00083  * usage by the flow table.
00084  *
00085  * <tt>yaf_paylen</tt> sets the number of bytes of payload to capture from the
00086  * start of each flow. The payload length defaults to zero, which disables
00087  * payload capture.
00088  *
00089  * <tt>yaf_uniflow</tt>, if TRUE, exports flows in uniflow mode, using the
00090  * record adjacency export method described in section 3 of
00091  * draft-ietf-ipfix-biflow. Defaults to FALSE.
00092  *
00093  * <tt>yaf_macmode</tt>, if TRUE, exports layer 2 information with each flow;
00094  * presently this is limited to VLAN tags but may be expanded to include the
00095  * MPLS stack and MAC addresses in the future. Defaults to FALSE.
00096  *
00097  * <tt>yaf_silkmode</tt>, if TRUE, enables SiLK compatibility mode. In this
00098  * mode, totalOctetCount and reverseTotalOctetCount are clamped to 32 bits.
00099  * Any packet that would cause either of these counters to overflow 32 bits
00100  * will force an active timeout. The high-order bit of the flowEndReason IE
00101  * is set on any flow created on a counter overflow, as above, or on an active
00102  * timeout. Defaults to FALSE.
00103  *
00104  * <tt>yaf_reqtype</tt> limits the flow table to collecting IPv4 or IPv6 flows
00105  * only. Set to YF_TYPE_IPv4 for IPv4 flows only, YF_TYPE_IPv6 for IPv6 flows
00106  * only, or YF_TYPE_IPANY (the default) to collect both IPv4 and IPv6 flows.
00107  *
00108  * This facility is used by YAF to assemble packets into flows.
00109  */
00110 
00119 #ifndef _YAF_TAB_H_
00120 #define _YAF_TAB_H_
00121 
00122 #include <yaf/autoinc.h>
00123 #include <yaf/yafcore.h>
00124 #include <yaf/decode.h>
00125 
00126 
00127 struct yfFlowTab_st;
00132 typedef struct yfFlowTab_st yfFlowTab_t;
00133 
00203 yfFlowTab_t *yfFlowTabAlloc(
00204     uint64_t        idle_ms,
00205     uint64_t        active_ms,
00206     uint32_t        max_flows,
00207     uint32_t        max_payload,
00208     gboolean        uniflow,
00209     gboolean        silkmode,
00210     gboolean        macmode,
00211     gboolean        applabelmode,
00212     gboolean        entropymode,
00213     gboolean        fingerprintmode,
00214     gboolean        fpExportMode,
00215     gboolean        udp_max_payload,
00216     uint16_t        udp_uniflow_port,
00217     char            *pcap_dir,
00218     char            *pcap_meta_file,
00219     uint64_t        max_pcap,
00220     gboolean        pcap_per_flow,
00221     gboolean        force_read_all);
00222 
00231 void yfFlowTabFree(
00232     yfFlowTab_t     *flowtab);
00233 
00241 void yfUpdateRollingPcapFile(
00242     yfFlowTab_t                *flowtab,
00243     GString                    *new_file_name);
00244 
00255 void yfGetFlowTabStats(
00256     yfFlowTab_t *flowtab,
00257     uint64_t *packets,
00258     uint64_t *flows,
00259     uint32_t *peak,
00260     uint32_t *flush);
00261 
00274 void yfFlowPBuf(
00275     yfFlowTab_t                 *flowtab,
00276     size_t                      pbuflen,
00277     yfPBuf_t                    *pbuf);
00278 
00293 gboolean yfFlowTabFlush(
00294     void            *yfContext,
00295     gboolean        close,
00296     GError          **err);
00297 
00305 uint64_t yfFlowTabCurrentTime(
00306     yfFlowTab_t     *flowtab);
00307 
00317 uint64_t yfFlowDumpStats(
00318     yfFlowTab_t     *flowtab,
00319     GTimer          *timer);
00320 
00321 #endif
© 2006-2012 Carnegie Mellon University